Vulnerabilities / Threats
01:02 PM

Ransomware Pays: FBI Updates Reveton Malware Warning

Latest malware, trying to trick users into paying a fine, claims the FBI is using audio, video, and other devices to record computer's "illegal" activity.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Can people pay a fine online, avoid the threat of prosecution by the FBI, and unlock their locked PC all in one go?

That's the offer made by a "Threat of Prosecution Reminder" that's been flashing on numerous PC screens, which says that the FBI has locked the PC after finding evidence that the computer has been used to access child pornography or other illegal content. The latest version of this notice says that "all activity on this computer is being recorded using audio, video, and other devices." But users are offered a way to pay the related fine being levied, immediately unlock their PC, and see the whole matter immediately dismissed.

The warning, however, is just a setup. "This is not a legitimate communication from the IC3, but rather is an attempt to extort money from the victim," according to an advisory released last week by the Internet Crime Complaint Center (IC3), which is a joint effort between the FBI and the National White Collar Crime Center. "If you have received this or something similar do not follow payment instruction."

[ How effective is anti-virus software? Antivirus Tool Fail: Blocking Success Varies By 58%. ]

The extortion part of the scam -- now also featured on the FBI's list of e-scams -- is facilitated by a malicious application known as Reveton, which according to antivirus vendor F-Secure "fraudulently claims to be from a legitimate law enforcement authority and prevents users from accessing their infected machine, demanding that a 'fine' must be paid to restore normal access." Machines are typically infected with Reveton via malicious websites -- using drive-by download attacks launched by Citadel crimeware -- rather than being introduced via phishing attacks or malicious email attachments.

"To unlock the computer, the user is instructed to pay a fine using prepaid money card services," according to the IC3. "The geographic location of the user's PC determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud."

Don't pay the bogus fine, but do seek help when removing Reveton. "Manual disinfection is a risky process; it is recommended only for advanced users," says F-Secure. If a PC has been infected, also don't rely on any antivirus software that's already been installed, as "some variants of [Reveton] may make lasting changes to your computer that make it difficult for you to download, install, run, or update your virus protection," states a Microsoft malware advisory.

Numerous Reveton-driven ransomware campaigns have been seen this year, localized not just for residents of the United States but also for Finland, Ireland, Germany, and other parts of Europe. The FBI previously released an alert about the Reveton malware in August, with IC3 manager Donna Gregory saying, "We're getting inundated with complaints," and noting that fine payments of $200 didn't seem to be uncommon.

Given the FBI's new warning, PC users obviously haven't been getting the message about the scam. The latest version of Reveton also contains a variation on the previous social-engineering attack. "In addition to instilling a fear of prosecution, this version of the malware also claims that the user's computer activity is being recorded using audio, video, and other devices," according to the IC3.

Unfortunately, any PC infected with Reveton faces further problems, as the malware is delivered by the Citadel malware toolkit, which does in fact include the ability to record whatever users are doing on their PC screen, typically for the purposes of committing "online banking and credit card fraud," according to the IC3.

The latest version of the Russian-language Citadel malware, unveiled earlier this month, includes other advanced capabilities too, such as grabbing passwords from Firefox and Chrome, or using Web injection to modify code on targeted websites, potentially allowing them to trick users into divulging their log-in credentials. Citadel is one of a number of well-known financial malware crimeware toolkits, such as Blackhole, Crisis, SpyEye and Zeus, which include command-and-control software that allows the botmaster to easily relay data from compromised, or zombie machines. The compromised machines can also be used as relays in spam networks or nodes in a larger distributed denial-of-service campaign.

Why do criminals bother with ransomware? Simply put, because such attacks seem to pay. Symantec security researchers Gavin O'Gorman and Geoff McDonald recently studied 68,000 PCs that had been compromised by ransomware in the space of a month, and found that attackers' haul could have been $400,000. One recent 18-day Reveton attack, meanwhile, had attempted to infect 500,000 PCs. "Given the number of different gangs operating ransomware scams, a conservative estimate is that over $5 million a year is being extorted from victims," wrote the researchers in a related report. "The real number is, however, likely much higher."

Faster networks are coming, but security and monitoring systems aren't necessarily keeping up. Also in the new, all-digital Data Security At Full Speed special issue of InformationWeek: A look at what lawmakers around the world are doing to add to companies' security worries. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/17/2012 | 8:26:54 AM
re: Ransomware Pays: FBI Updates Reveton Malware Warning
Keeping up on list of IT scams I am sure would help you in a situation like this. Sounds like nasty malware tough, allowing its self to monitor audio and video, and even pull your browser passwords and such. It did not really go int o detail abut how to get rid of it, is there a easier way or should I say free way or do I have to pay a fee somewhere to have it removed, ironic huh?

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-03-29
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read pa...

Published: 2015-03-29
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integratio...

Published: 2015-03-29
Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.

Published: 2015-03-29
The RPC daemon in EMC Isilon OneFS 6.5.x and 7.0.x before, 7.1.0 before, 7.1.1 before, and 7.2.0 before allows local users to gain privileges by leveraging an ability to modify system files.

Published: 2015-03-29
Schneider Electric InduSoft Web Studio before SP3 Patch 4 and InTouch Machine Edition 2014 before SP3 Patch 4 rely on a hardcoded cleartext password to control read access to Project files and Project Configuration files, which makes it easier for local users to obtain sensitive info...

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.